1. Field of the Invention
This invention pertains in general to computer security, and more specifically to detecting network devices and to mapping the topology of networks using network introspection by collaborating nodes/endpoints.
2. Description of the Related Art
In order to effectively protect networks, it is necessary to gather information about these networks and determine their configuration. Situational awareness for system and network administrators in large, distributed enterprise organizations requires detailed understanding and information about the networks supporting the organization's information systems and the assets running on those networks. Networks are constantly changing as assets come and go and network elements are configured and reconfigured to provide required services.
Yet, understanding networks is a difficult problem. Information regarding the network, including network topology and configuration, is difficult to collect and costly to maintain due to the different types of network equipment, each potentially requiring proprietary software for administration and monitoring. There are also significant challenges in the processes and tools that acquire and continuously maintain the relevant data, and these tools/protocols for network management are dependent upon proper configuration and administrative control. Further, production networks tend to grow by accretion, with branches, subnetworks, and servers added on an as-needed basis. As networks get larger, responsibility (and authority) over such networks tends to become more convoluted. In large enterprises, the responsibility for security is generally divided into entirely different organizations, and different aspects and regions of the networks are further divided. Limited and/or out-of-date views severely hamper the ability to detect the presence of attacks and attackers (including potentially malicious “stealth” devices), or result in networks that are needlessly open. In addition, the process for collecting topology information is so labor intensive that mapping occurs sporadically and quickly becomes out of date.
Current technologies in the areas of network mapping, network coordinate systems, bandwidth estimation, and network tomography have been unable to solve these problems. These approaches are commonly applied to the problem at the scale of mapping the Internet and do not utilize key advantages that one has when mapping the network topology of a managed enterprise. Even products that provide some enterprise-scale network-management capabilities generally use network-management protocols to communicate directly with network devices and ask them for information about the systems with which they have communicated. These products require administrators to know which devices form the backbone of their network, and do not provide management privileges over, or the ability to communicate with, all forms of network devices. Further, these products cannot identify systems that fail to identify themselves in response to identification requests or that report themselves as one entity, but may actually be a very different entity (e.g., a stealth or rogue device). Other tools rely on various protocols to build a picture of what is actually present on the network, but these point-in-time scans quickly become out of date and also tend to focus on mapping of the entire Internet.
Therefore, there is a need in the art for a solution that reliably and securely detects network devices (including devices that may be hiding from detection or reporting themselves as something different from what they actually are), and that can also map the topology of regularly changing networks in real-time and can accurately maintain this topology over a period of time.